search

aws-samples / aws-secure-environment-accelerator

The AWS Secure Environment Accelerator is a tool designed to help deploy and operate secure multi-account, multi-region AWS environments on an ongoing basis. The power of the solution is the configuration file which enables the completely automated deployment of customizable architectures within AWS without changing a single line of code.
Apache License 2.0
725 stars 233 forks source link

[BUG] [SM] Phase 2 SecurityGroup Error #1213

Closed AWSElectionsQuebec closed 6 months ago

AWSElectionsQuebec commented 7 months ago

Required Basic Info

Describe the bug We have the following resource defined in a CloudFormation template "SecurityGroupsSharedAccount2DataIngress06F21500D4": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "Description": "Central VPC Traffic Inbound from Mgmt-a", "GroupId": { "Ref": "SecurityGroupsSharedAccount2DataFBF92784" }, "IpProtocol": "-1" }

According to the documentation this is invalid but should not fail the stack “You must specify only one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully, but the rule is not added to the security group.” Ref : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupingress.html

This is the behavior we were seeing previously (stack created without error, but no rule created). However, the same stack is now failing with this error:

CREATE_FAILED | AWS::EC2::SecurityGroupIngress | DevLepPhase2/SecurityGroupsDev-Shared-2/SecurityGroups-SharedAccount-2/Data-Ingress-0-6 (SecurityGroupsSharedAccount2DataIngress06F21500D4) Resource handler returned message: "Exactly one of CidrIp, CidrIpv6, SourceSecurityGroupId, and SourcePrefixListId must be specified and not empty" (RequestToken: 3a1db87f-fd7b-3e8c-d94b-b21ac0f721c4, HandlerErrorCode: InvalidRequest)

Has there been, recently, a change on how this behavior is enforced?

Failure Info

Required files

Logical ID: ASEA-DevLep-Phase2-SecurityGroupsDevShared2NestedStackSecurityGroupsDevShared2NestedSt-LS5N0XOSDYFQ Status: CREATE_FAILED Status reason: The following resource(s) failed to create: [SecurityGroupsSharedAccount2DataIngress00F34A5A39, SecurityGroupsSharedAccount2MgmtIngress17F90AFBBB, SecurityGroupsSharedAccount2MgmtIngress104125E808, SecurityGroupsSharedAccount2MgmtIngress1607DED6CB, SecurityGroupsSharedAccount2DataIngress08C8EE6D79, SecurityGroupsSharedAccount2AppIngress0754743510, SecurityGroupsSharedAccount2MgmtIngress18EB52F9D3, SecurityGroupsSharedAccount2MgmtIngress116A62309F, SecurityGroupsSharedAccount2DataIngress035FE8591D, SecurityGroupsSharedAccount2WebIngress18E4A8B7E8, SecurityGroupsSharedAccount2WebIngress1433FBE6B0, SecurityGroupsSharedAccount2WebIngress106987B201, SecurityGroupsSharedAccount2MgmtIngress14BAEC15F4, SecurityGroupsSharedAccount2AppIngress045921009A, SecurityGroupsSharedAccount2WebIngress12A2A3B54A, SecurityGroupsSharedAccount2DataIngress01024327791, SecurityGroupsSharedAccount2AppIngress0065BFDE57, SecurityGroupsSharedAccount2WebIngress159C919868, SecurityGroupsSharedAccount2MgmtIngress110E49CA30A, SecurityGroupsSharedAccount2WebIngress134FABAB12, SecurityGroupsSharedAccount2DataIngress012BF1D750, SecurityGroupsSharedAccount2AppIngress067A5A882C, SecurityGroupsSharedAccount2DataIngress07E62427CE, SecurityGroupsSharedAccount2MgmtIngress156D3A7EBB, SecurityGroupsSharedAccount2AppIngress010DFBB0CA, SecurityGroupsSharedAccount2DataIngress011436E8E61, SecurityGroupsSharedAccount2MgmtIngress13496978A1, SecurityGroupsSharedAccount2MgmtIngress192BD4CBB2, SecurityGroupsSharedAccount2AppIngress011B9608648, SecurityGroupsSharedAccount2WebIngress193765D73D, SecurityGroupsSharedAccount2AppIngress02016F0A9D, SecurityGroupsSharedAccount2DataIngress02A22AC80F, SecurityGroupsSharedAccount2AppIngress083DAF3BDC, SecurityGroupsSharedAccount2AppIngress01041C73D1B, SecurityGroupsSharedAccount2WebIngress1181054897, SecurityGroupsSharedAccount2DataIngress04582F4820, SecurityGroupsSharedAccount2WebIngress1107F5D0624, SecurityGroupsSharedAccount2DataIngress052F32FB9E, SecurityGroupsSharedAccount2MgmtIngress111BE6B15F7, SecurityGroupsSharedAccount2WebIngress173D0B7DDD, SecurityGroupsSharedAccount2DataIngress097A448418, SecurityGroupsSharedAccount2AppIngress053A39F8DF, SecurityGroupsSharedAccount2WebIngress111AA65C79B, SecurityGroupsSharedAccount2WebIngress1667A14582, SecurityGroupsSharedAccount2MgmtIngress120B402375, SecurityGroupsSharedAccount2AppIngress038FF5B73E, SecurityGroupsSharedAccount2AppIngress09326BB9CE, SecurityGroupsSharedAccount2DataIngress06F21500D4].

Additional context We were trying to add to accounts in our Config.json file. One in the Dev OU (The error is concerning that account) One in the Central OU (Phase 2 for that account went without a hitch)

archikierstead commented 6 months ago

Fixed in 1.5.9

Maxwell2022 commented 4 months ago

@AWSElectionsQuebec Where did you see this in the doc?

According to the documentation this is invalid but should not fail the stack “You must specify only one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully, but the rule is not added to the security group.” Ref : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupingress.html

We are having the exact same error with out stack but the template we use has not changed at all. The stack was created correctly before and now it's throwing this error. Did something changed recently in AWS? as in around February?

For context we are using an EB configuration:

  aws:autoscaling:launchconfiguration:
    SecurityGroups: default
    SSHSourceRestriction: tcp, 22, 22, Some Security Group Name

This application is deployed in the default VPC so we should be able to specify the SG name.

For security groups in a nondefault VPC, you must specify the group ID.

Only for deployment in non-default VPC you need the id.

This is transformed in the following CloudFormation rule:

  "Resources": {
    "AWSEBSecurityGroupSSHIngress": {
      "Properties": {
        "GroupName": { "Ref": "AWSEBSecurityGroup" },
        "FromPort": "22",
        "ToPort": "22",
        "SourceSecurityGroupName": "Some Security Group Name",
        "IpProtocol": "tcp"
      },
      "Type": "AWS::EC2::SecurityGroupIngress"
    },

and fails on creation of the stack with this same error for the logical ID "AWSEBSecurityGroupSSHIngress":

Resource handler returned message: "Exactly one of CidrIp, CidrIpv6, SourceSecurityGroupId, and SourcePrefixListId must be specified and not empty" (RequestToken: xxxx, HandlerErrorCode: InvalidRequest)

AWSElectionsQuebec commented 2 months ago

Hi @Maxwell2022 ,

The documentation was updated on march 6 to remove the sentence "Otherwise, the stack launches successfully, but the rule is not added to the security group." Something have changed in february. we opened a support case on march 1st and the answer was:

After conducting testing and verifying with the Internal Team, the resource and property reference has been update to include one of the following 4 properties must be included for the resource. "AWS::EC2::SecurityGroupIngress" [1].

List of included properties [1]:

CidrIp CidrIpv6 SourceSecurityGroupId SourcePrefixListId